Tuesday, January 20, 2015

NSA Docs Show Almost No Access To North Korea Before 2010, And Limited Access Thereafter

“We lack uniform agreement on assessing many things in North Korea” - DNI James Clapper (2013)
According to the same NSA document released yesterday by Der Spiegel and quoted by the New York Times, NSA's access to North Korea "was next to nothing" prior to 2010. That rules out any direct NSA evidence into North Korea being responsible for the 2009 Independence Day attacks against U.S. and South Korean websites.  Yet "un-named officials with knowledge of the case" made the exact opposite claim (U.S. Spies Say They Tracked Sony Hackers For Years); a claim that can only be considered either fantasy or patently false considering the staggering amount of intelligence failures that we've experienced with North Korea over the long term and up to the present.  Here are just a few examples:

2010: North Korea spent 18 months building a new uranium enrichment plant that we never discovered until they announced it in 2010.
2011: Kim Jung-Il's death went undiscovered until NK television announced it over two days later.
2013: Three months after NK's third nuclear test, the U.S. still couldn't assess the state of NK's uranium enrichment. CIA had to reverse its initial assessment of Kim Jung-Un's military ambitions (greater than the CIA thought), and the DIA's assessment of the North's ability to shrink a warhead got publicly disputed by both Clapper and Obama.
2013: The Washington Post reported that the NSA's own Black Budget reveals that their North Korean access is the worst of any country.
More broadly, the lapses also raise a question of why, 63 years after the outbreak of the Korean War — itself a move the United States did not see coming — gathering information about the North has, in the words of one frequent intelligence consumer, “made Syria and Iran look like an open book.” - David Sanger and Choi Sang-Hun (NYTimes, May 2013)

What Do We Know About Attacks Blamed On North Korea

Pretty much everything that we think we know about cyber attacks coming from North Korea originates in South Korea. So the first question is - how accurate is South Korea's intelligence on the North? The answer based upon multiple sources is that its questionable at best and fraudulent at worst.

The Economist featured an article about South Korea's troubled National Intelligence Service (NIS) in March, 2014.
"But the South’s efforts have been complicated by a series of intelligence mishaps. Won Sei-hoon, the former head of the NIS who resigned last March, is himself currently undergoing trial on charges of discrediting key opposition figures as pro-North leftists online and manipulating public opinion in favour of Ms Park in the run-up to the 2012 presidential election that brought her to power. The NIS says that its online posts were routine psychological warfare operations against North Korea. Now the president’s new spy chief, Nam Jae-joon, is under mounting pressure from the opposition and ruling-party politicians alike to step down amid an investigation into his agency's alleged fabrication of evidence in an espionage case. Last week prosecutors carried out a rare raid of the spooks’ headquarters—the second time the offices have been searched in just over a year. On March 15th prosecutors arrested an NIS agent in connection with the forgery."
The Economist article also addressed the benefits provided to North Korean defectors and the problems associated with fraudulent defector claims. All of the information that we think we know about Lab 110 and North Korea's cyber warfare capabilities in general came from North Korean defectors. Unfortunately, there's no way to judge how much of that is even accurate.

The 2009 Independence Day Attacks

The NIS claimed that it had intercepted a document from the North Korean government which ordered Lab 110 to "destroy the South Korean puppet communications networks in an instant". 

What actually happened was that someone launched a weak DDoS attack using ancient malware (MyDoom) that had next to no impact at all. An interesting side point is that the MyDoom malware is believed to be Russian in origin according to Kaspersky Lab. That kind of gross exaggeration suggests that the NIS may be just a tad over-zealous in its assessments of the North.

The 2013 Dark Seoul Attacks

I looked at four reports issued by four different cyber security companies on Dark Seoul. Of the four, McAfee implied that it was the North Korean government. Symantec's report said that the South Korean press blamed North Korea. Kaspersky said it couldn't say, and Sophos gave reasons why it probably wasn't North Korea.

SOPHOS LAB
"What's curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated. For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a "cyberwarfare" attack coming from North Korea."

“So, is this an isolated incident or part of a bigger cyberwar campaign? Honestly speaking, we don-t know.”

“While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea.”

"Who conducted these attacks is still unclear, but our research gives some further insight into the likely source. The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source."


The 2014 Sony Attack

Attribution to North Korea for the Sony attack is built on flimsy, fraudulent, or non-existent intelligence. Pick two.

The private sector reports relied upon the Dark Seoul and Independence Day attacks, which conflicted with each other and failed to give direct attribution to North Korea. In the meantime,  no one at the FBI, NSA, ODNI (Office of the Director of National Intelligence), or EOP (Executive Office of the President) can answer the most fundamental questions associated criminal investigations. 
- They don't know who actually attacked Sony. 
- They don't know how they did it. 
- They don't know why they did it. 

By their own admission, the entire U.S. intelligence apparatus is dealing with a black hole when it comes to North Korea. Before 2010, the NSA has primarily relied upon South Korea's NIS whose leadership has been charged with acts of fraud. Even after 2010, when the NSA supposedly had direct access to computers in NK, they missed pretty much everything of importance. 

The RGB has been built up by Western analysts to be a cyber warfare superpower yet nothing about the Sony attack was sophisticated. The RGB most likely didn't use its own people based upon linguistic analysis, but why hire out? Certainly not because they couldn't do it themselves, and obviously not for plausible deniability. Kim's juvenile threats before the film's release made it easy to paint him as the culprit. 

The answer to this riddle must lie somewhere in the political realm. For whatever reason, someone in a leadership position in the Intelligence Community or the EOP saw the Sony attack as an opportunity to score a win against North Korea after a miserable multi-year run of intelligence failures. Unfortunately, the President and the Directors of both the FBI and the NSA have staked their professional reputations on that stupid political act, and I predict that it will backfire in a spectacular way. 

No comments:

Post a Comment